Commit 1e461145 authored by Fabien Combernous's avatar Fabien Combernous

Merge branch '18-add-fact-that-gives-ipa-role' into 'master'

Resolve "add fact that gives ipa role"

Closes #18

See merge request !49
parents 61224e85 5d0bf8fc
Facter.add(:iparole) do
confine kernel: 'Linux'
setcode do
pkicfg = '/etc/pki/pki-tomcat/ca/CS.cfg'
if File.exist? pkicfg
data = Facter::Core::Execution.execute("cat #{pkicfg}")
role = if data.gsub!(%r{ca.crl.MasterCRL.enableCRLUpdates=true}, '')
'master'
elsif data.gsub!(%r{ca.crl.MasterCRL.enableCRLUpdates=false}, '')
'replica'
else
nil
end
else
role = if (!File.exist? '/usr/sbin/ipactl') && (File.exist? '/usr/sbin/ipa-client-install')
'client'
else
nil
end
end
role
end
end
......@@ -6,64 +6,68 @@
#
class freeipa::install::client {
package{$freeipa::ipa_client_package_name:
ensure => present,
}
package{$freeipa::kstart_package_name:
ensure => present,
}
if ! $facts['iparole'] or $facts['iparole'] == 'client' {
package{$freeipa::ipa_client_package_name:
ensure => present,
}
if $freeipa::client_install_ldaputils {
package { $freeipa::ldaputils_package_name:
package{$freeipa::kstart_package_name:
ensure => present,
}
}
if $freeipa::mkhomedir {
$client_install_cmd_opts_mkhomedir = '--mkhomedir'
} else {
$client_install_cmd_opts_mkhomedir = ''
}
if $freeipa::client_install_ldaputils {
package { $freeipa::ldaputils_package_name:
ensure => present,
}
}
if $freeipa::fixed_primary {
$client_install_cmd_opts_fixed_primary = '--fixed-primary'
} else {
$client_install_cmd_opts_fixed_primary = ''
}
if $freeipa::mkhomedir {
$client_install_cmd_opts_mkhomedir = '--mkhomedir'
} else {
$client_install_cmd_opts_mkhomedir = ''
}
if $freeipa::configure_ntp {
$client_install_cmd_opts_no_ntp = ''
} else {
$client_install_cmd_opts_no_ntp = '--no-ntp'
}
if $freeipa::fixed_primary {
$client_install_cmd_opts_fixed_primary = '--fixed-primary'
} else {
$client_install_cmd_opts_fixed_primary = ''
}
$client_install_cmd = "/usr/sbin/ipa-client-install \
--server=${freeipa::ipa_master_fqdn} \
--realm=${freeipa::realm} \
--domain=${freeipa::domain} \
--principal='${freeipa::principal_usedto_joindomain}' \
--password='${freeipa::password_usedto_joindomain}' \
${client_install_cmd_opts_mkhomedir} \
${client_install_cmd_opts_fixed_primary} \
${client_install_cmd_opts_no_ntp} \
--unattended"
if $freeipa::configure_ntp {
$client_install_cmd_opts_no_ntp = ''
} else {
$client_install_cmd_opts_no_ntp = '--no-ntp'
}
exec { "client_install_${::fqdn}":
command => $client_install_cmd,
timeout => 0,
unless => "cat /etc/ipa/default.conf | grep -i \"${freeipa::domain}\"",
creates => '/etc/ipa/default.conf',
logoutput => 'on_failure',
before => Service['sssd'],
provider => 'shell',
}
$client_install_cmd = "/usr/sbin/ipa-client-install \
--server=${freeipa::ipa_master_fqdn} \
--realm=${freeipa::realm} \
--domain=${freeipa::domain} \
--principal='${freeipa::principal_usedto_joindomain}' \
--password='${freeipa::password_usedto_joindomain}' \
${client_install_cmd_opts_mkhomedir} \
${client_install_cmd_opts_fixed_primary} \
${client_install_cmd_opts_no_ntp} \
--unattended"
if $freeipa::install_sssd {
service { 'sssd':
ensure => 'running',
enable => true,
require => Package[$freeipa::sssd_package_name],
exec { "client_install_${::fqdn}":
command => $client_install_cmd,
timeout => 0,
unless => "cat /etc/ipa/default.conf | grep -i \"${freeipa::domain}\"",
creates => '/etc/ipa/default.conf',
logoutput => 'on_failure',
before => Service['sssd'],
provider => 'shell',
}
if $freeipa::install_sssd {
service { 'sssd':
ensure => 'running',
enable => true,
require => Package[$freeipa::sssd_package_name],
}
}
} else {
fail ("to change ipa_role from '${facts['iparole']}' to 'client' is not supported.")
}
}
......@@ -5,103 +5,106 @@
# include freeipa::install::server
class freeipa::install::server {
Exec {
path => '/usr/local/bin/:/bin/:/sbin',
}
package{$freeipa::ipa_server_package_name:
ensure => present,
}
if $facts['iparole'] != 'client' {
Exec {
path => '/usr/local/bin/:/bin/:/sbin',
}
package{$freeipa::kstart_package_name:
ensure => present,
}
package{$freeipa::ipa_server_package_name:
ensure => present,
}
if $freeipa::server_install_ldaputils {
package { $freeipa::ldaputils_package_name:
package{$freeipa::kstart_package_name:
ensure => present,
}
}
$server_install_cmd_opts_idstart = "--idstart=${freeipa::idstart}"
if $freeipa::server_install_ldaputils {
package { $freeipa::ldaputils_package_name:
ensure => present,
}
}
if $freeipa::enable_hostname {
$server_install_cmd_opts_hostname = "--hostname=${freeipa::ipa_server_fqdn}"
end
} else {
$server_install_cmd_opts_hostname = ''
}
$server_install_cmd_opts_idstart = "--idstart=${freeipa::idstart}"
if $freeipa::enable_ip_address {
$server_install_cmd_opts_ip_address = "--ip-address ${freeipa::ip_address}"
} else {
$server_install_cmd_opts_ip_address = ''
}
if $freeipa::enable_hostname {
$server_install_cmd_opts_hostname = "--hostname=${freeipa::ipa_server_fqdn}"
end
} else {
$server_install_cmd_opts_hostname = ''
}
if $freeipa::final_configure_dns_server {
$server_install_cmd_opts_setup_dns = '--setup-dns'
} else {
$server_install_cmd_opts_setup_dns = ''
}
if $freeipa::enable_ip_address {
$server_install_cmd_opts_ip_address = "--ip-address ${freeipa::ip_address}"
} else {
$server_install_cmd_opts_ip_address = ''
}
if $freeipa::configure_ntp {
$server_install_cmd_opts_no_ntp = ''
} else {
$server_install_cmd_opts_no_ntp = '--no-ntp'
}
if $freeipa::final_configure_dns_server {
$server_install_cmd_opts_setup_dns = '--setup-dns'
} else {
$server_install_cmd_opts_setup_dns = ''
}
if $freeipa::final_configure_dns_server {
if size($freeipa::custom_dns_forwarders) > 0 {
$server_install_cmd_opts_forwarders = join(
prefix(
$freeipa::custom_dns_forwarders,
'--forwarder '),
' '
)
if $freeipa::configure_ntp {
$server_install_cmd_opts_no_ntp = ''
} else {
$server_install_cmd_opts_no_ntp = '--no-ntp'
}
if $freeipa::final_configure_dns_server {
if size($freeipa::custom_dns_forwarders) > 0 {
$server_install_cmd_opts_forwarders = join(
prefix(
$freeipa::custom_dns_forwarders,
'--forwarder '),
' '
)
}
else {
$server_install_cmd_opts_forwarders = '--no-forwarders'
}
}
else {
$server_install_cmd_opts_forwarders = '--no-forwarders'
$server_install_cmd_opts_forwarders = ''
}
}
else {
$server_install_cmd_opts_forwarders = ''
}
if $freeipa::no_ui_redirect {
$server_install_cmd_opts_no_ui_redirect = ''
} else {
$server_install_cmd_opts_no_ui_redirect = '--no-ui-redirect'
}
if $freeipa::ipa_role == 'master' {
contain 'freeipa::install::server::master'
} elsif $freeipa::ipa_role == 'replica' {
contain 'freeipa::install::server::replica'
}
if $freeipa::no_ui_redirect {
$server_install_cmd_opts_no_ui_redirect = ''
} else {
$server_install_cmd_opts_no_ui_redirect = '--no-ui-redirect'
}
ensure_resource (
'service',
'httpd',
{ensure => 'running'},
)
if $freeipa::ipa_role == 'master' {
contain 'freeipa::install::server::master'
} elsif $freeipa::ipa_role == 'replica' {
contain 'freeipa::install::server::replica'
}
contain 'freeipa::config::webui'
ensure_resource (
'service',
'httpd',
{ensure => 'running'},
)
service { 'ipa':
ensure => 'running',
enable => true,
require => Exec["server_install_${freeipa::ipa_server_fqdn}"],
}
contain 'freeipa::config::webui'
if $freeipa::install_sssd {
service { 'sssd':
service { 'ipa':
ensure => 'running',
enable => true,
require => Package[$freeipa::sssd_package_name],
require => Exec["server_install_${freeipa::ipa_server_fqdn}"],
}
}
freeipa::helpers::flushcache { "server_${freeipa::ipa_server_fqdn}": }
class {'freeipa::config::admin_user': }
if $freeipa::install_sssd {
service { 'sssd':
ensure => 'running',
enable => true,
require => Package[$freeipa::sssd_package_name],
}
}
freeipa::helpers::flushcache { "server_${freeipa::ipa_server_fqdn}": }
class {'freeipa::config::admin_user': }
} else {
fail ("to change ipa_role from '${facts['iparole']}' to '${freeipa::ipa_role}' is not supported.")
}
}
......@@ -20,24 +20,27 @@ class freeipa::install::server::master {
--auto-reverse \
--unattended"
file { '/etc/ipa/primary':
ensure => 'file',
content => 'Added by IPA Puppet module. Designates primary master. Do not remove.',
if ! $facts['iparole'] or $facts['iparole'] == 'master' {
file { '/etc/ipa/primary':
ensure => 'file',
content => 'Added by IPA Puppet module. Designates primary master. Do not remove.',
}
-> exec { "server_install_${freeipa::ipa_server_fqdn}":
command => $server_install_cmd,
timeout => 0,
unless => '/usr/sbin/ipactl status >/dev/null 2>&1',
creates => '/etc/ipa/default.conf',
logoutput => 'on_failure',
notify => Freeipa::Helpers::Flushcache["server_${freeipa::ipa_server_fqdn}"],
before => Service['sssd'],
}
-> cron { 'k5start_root': #allows scp to replicas as root
command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1',
user => 'root',
minute => '*/1',
require => Package[$freeipa::kstart_package_name],
}
} else {
fail ("to change ipa_role from '${facts['iparole']}' to 'master' is not supported.")
}
-> exec { "server_install_${freeipa::ipa_server_fqdn}":
command => $server_install_cmd,
timeout => 0,
unless => '/usr/sbin/ipactl status >/dev/null 2>&1',
creates => '/etc/ipa/default.conf',
logoutput => 'on_failure',
notify => Freeipa::Helpers::Flushcache["server_${freeipa::ipa_server_fqdn}"],
before => Service['sssd'],
}
-> cron { 'k5start_root': #allows scp to replicas as root
command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1',
user => 'root',
minute => '*/1',
require => Package[$freeipa::kstart_package_name],
}
}
......@@ -18,25 +18,28 @@ class freeipa::install::server::replica {
${freeipa::install::server::server_install_cmd_opts_no_ui_redirect} \
--unattended"
# TODO: config-show and grep for IPA\ masters
file { '/etc/ipa/primary':
ensure => 'file',
content => 'Added by IPA Puppet module. Designates primary master. Do not remove.',
if ! $facts['iparole'] or $facts['iparole'] == 'replica' {
# TODO: config-show and grep for IPA\ masters
file { '/etc/ipa/primary':
ensure => 'file',
content => 'Added by IPA Puppet module. Designates primary master. Do not remove.',
}
-> exec { "server_install_${freeipa::ipa_server_fqdn}":
command => $replica_install_cmd,
timeout => 0,
unless => '/usr/sbin/ipactl status >/dev/null 2>&1',
creates => '/etc/ipa/default.conf',
logoutput => 'on_failure',
notify => Freeipa::Helpers::Flushcache["server_${freeipa::ipa_server_fqdn}"],
before => Service['sssd'],
}
-> cron { 'k5start_root':
command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1',
user => 'root',
minute => '*/1',
require => Package[$freeipa::kstart_package_name],
}
} else {
fail ("to change ipa_role from '${facts['iparole']}' to 'replica' is not supported.")
}
-> exec { "server_install_${freeipa::ipa_server_fqdn}":
command => $replica_install_cmd,
timeout => 0,
unless => '/usr/sbin/ipactl status >/dev/null 2>&1',
creates => '/etc/ipa/default.conf',
logoutput => 'on_failure',
notify => Freeipa::Helpers::Flushcache["server_${freeipa::ipa_server_fqdn}"],
before => Service['sssd'],
}
-> cron { 'k5start_root':
command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1',
user => 'root',
minute => '*/1',
require => Package[$freeipa::kstart_package_name],
}
}
......@@ -88,6 +88,55 @@ describe 'freeipa class' do
end
end
context 'with ipa_role replica on master' do
hosts_as('master').each do |master|
it 'fails' do
pp = <<-EOS
class { 'freeipa':
ipa_role => 'replica',
domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-1.example.lan',
admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
install_ipa_server => true,
ip_address => '10.10.10.35',
enable_ip_address => true,
enable_hostname => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
webui_force_https => true,
ipa_master_fqdn => 'ipa-server-1.example.lan',
}
EOS
apply_manifest_on(master, pp, expect_failures: true)
end
end
end
context 'with ipa_role client on master' do
hosts_as('master').each do |master|
it 'fails' do
pp = <<-EOS
class { 'freeipa':
ipa_role => 'client',
domain => 'example.lan',
admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
password_usedto_joindomain => 'vagrant123',
ip_address => '10.10.10.35',
install_epel => true,
ipa_master_fqdn => 'ipa-server-1.example.lan'
}
EOS
apply_manifest_on(master, pp, expect_failures: true)
end
end
end
context 'Test ssh connnections for toto user with pre-defined ssh-key' do
# Install ssh key on root on master
hosts_as('master').each do |master|
......
require 'spec_helper'
describe 'freeipa::install::client' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'client',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
context 'with node not yet configured' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'client',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
it { is_expected.to compile }
end
end
end
context 'with node configured as client' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts.merge(iparole: 'client') }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'client',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
it { is_expected.to compile }
end
end
end
context 'with node configured as master' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts.merge(iparole: 'master') }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'client',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
it { is_expected.to compile }
it { is_expected.to compile.and_raise_error(%r{to change ipa_role from 'master' to 'client' is not supported}) }
end
end
end
end
require 'spec_helper'
describe 'freeipa::install::server::master' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'master',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
context 'with node not yet configured' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'master',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
let(:facts) { os_facts }
it { is_expected.to compile }
end
let(:facts) { os_facts }
end
end
it { is_expected.to compile }
context 'with node configured as master' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts.merge(iparole: 'master') }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'master',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
it { is_expected.to compile }
end
end
end
context 'with node configured as replica' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts.merge(iparole: 'replica') }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'master',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
it { is_expected.to compile.and_raise_error(%r{to change ipa_role from 'replica' to 'master' is not supported}) }
end
end
end
context 'with node configured as client' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts.merge(iparole: 'client') }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'master',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
it { is_expected.to compile.and_raise_error(%r{to change ipa_role from 'client' to 'master' is not supported}) }
end
end
end
end
require 'spec_helper'
describe 'freeipa::install::server::replica' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'replica',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
context 'with node not yet configured' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'replica',